Archive for April, 2011

Seasoned forensic investigators know the value of Windows prefetch files. A prefetch file is created by a mechanism Windows uses to increase the performance of the program loader. These files contain important program loader information such as DLL dependencies, module sizes, file paths, last run date, run count, etc. The value of prefetch files to an investigator is significant.

Unfortunately, most commercial forensic tools do not provide an easy way to examine this treasure of forensic evidence. So, like any other problem – instead of complaining about it I did something about it.